Hacking FairPlay Legally?

Fortune has a fascinating article about “DVD Jon” Johansen’s latest project, a company that licensing technology to make third-party devices work with Apple’s FairPlay DRM. His software will allow third-party music stores to transfer their music to the iPod, and it will allow third-party device makers to play iTunes songs. Fortune asks the obvious question:

There’s an obvious question: Isn’t opening the iTunes system illegal? There is no obvious answer. FairPlay is not patented, most likely because the encryption algorithms it uses are in the public domain. (Apple would not comment for this story.) And Johansen says he is abiding by the letter of the law – if not, perhaps, its spirit.

To let other sites sell music that plays on the iPod, his program will “wrap” songs with code that functions much like FairPlay. “So we’ll actually add copy protection,” he says, whereas the DMCA prohibits removing it. Helping other devices play iTunes songs could be harder to justify legally, but he cites the DMCA clause that permits users, in some circumstances, to reverse-engineer programs to ensure “interoperability.”

It seems to me that this is backwards. Johansen’s actions clearly are within the spirit of the law. There’s a reverse-engineerig clause in there for a reason. It’s extremely unlikely that creating platform monopolies was what Congress had in mind when it passed the DMCA.

However, I think Johansen is on extremely precarious ground when it comes to the letter of the law. The DMCA defines “circumvention” as:

to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.

The linchpin of this, it seems to me, is the bit about the “authority of the copyright owner.” Circumvention isn’t a technological concept, but a legal one. Ultimately, technologies that are blessed by the copyright owner (or those, such as Apple, to whom such authority has been delegated) are legal. Those that have not been so blessed are illegal. That seems pretty clear to me.

In contrast, the reverse engineering exception is as clear as mud. As I wrote in my Cato paper:

[The reverse engineering exception] allows circumvention for the purpose of “identifying and analyzing those elements of [a] program that are necessary to achieve interoperability.” Moreover, it allows the distribution of reverse engineering tools for that purpose and “for the purpose of enabling interoperability of an independently created computer program with other programs.”

Although well-intentioned, the reverse engineering exception is too vague to offer meaningful protection for innovators seeking to build compatible products. To be effective, a DRM scheme must prevent unauthorized devices from “interoperating” with it. Because unauthorized devices are not bound to enforce the rules of the DRM system, the designer of a DRM system cannot afford to allow them access to protected content. By definition, then, any product that achieves interoperability against the wishes of the creator of another product is “circumventing” the DRM scheme.

Yet, strangely, the statute gives no clear guidance on how to distinguish “enabling interoperability of an independently created computer program” (which is permitted) from “circumvent[ing] a technological measure” (which is prohibited).

I think these concerns still apply. Johansen effectively replaces Apple’s DRM scheme with his own. That means that he, not Apple, gets to decide what restrictions will be placed on the use of the files. It’s not at all clear how a court ought to go about determining if Johansen’s software “achieves interoperability” with FairPlay or “circumvents” it. The terms aren’t defined in a way that would allow us to draw a clear distinction.

I think it would be fantastic if a court ruled Johansen’s product legal. But I just don’t know how they could do it. If they rule that reverse engineering is broadly legal, they’ll effectively neuter the circumvention ban, as people can tack on token copy protection while doing as they please with copyrighted content. If, on the other hand, if they rule that this particular act of circumvention is legal, they’ll have to draw some kind of distinction between this one and others. Drawing any such distinction would likely require getting deeply involved in the design of DRM schemes–something the courts are hardly qualified to do.

Apple may choose not to sue in the short term. Even if they won the case, it would bring a lot of bad publicity. And the mere threat of a lawsuit may be enough to prevent most firms from doing business with Johansen. Indeed, I kind of hope Johansen does get sued, because whichever way the case comes out, it would bring some much-needed clarity to the reverse-engineering exception.

Update: I should have more clearly drawn the distinction between playing third party music on iPods and playing iTunes songs on third party players. My analysis above applies to the latter case. I think the former is probably legal under the DMCA. Indeed, that’s what Real did in 2004, and Apple has yet to sue them for it. Which makes me think Apple’s lawyers probably think they’d lose such a case.

The fundamental issue here is, again, the “authority of the copyright owner.” Playing third-party music on the iPod requires the permission of the copyright owner, but it doesn’t require Apple’s permission. In contrast, playing iTunes music on a third-party player does require Apple’s permission, since in that case Apple has a license from the copyright owner.